Replace LGTM with GitHub CodeQL.

Many warnings silenced for now.

.codeql-config.yml

@@ -0,0 +1,31 @@
+name: "Cryptsetup CodeQL config"
+
+query-filters:
+- exclude:
+     id: cpp/fixme-comment
+- exclude:
+     id: cpp/empty-block
+- exclude:
+     id: cpp/poorly-documented-function
+- exclude:
+     id: cpp/loop-variable-changed
+- exclude:
+     id: cpp/empty-if
+- exclude:
+     id: cpp/long-switch
+- exclude:
+     id: cpp/complex-condition
+- exclude:
+     id: cpp/commented-out-code
+
+# These produce many false positives
+- exclude:
+     id: cpp/uninitialized-local
+- exclude:
+     id: cpp/path-injection
+- exclude:
+     id: cpp/missing-check-scanf
+
+# CodeQL should understand coverity [toctou] comments
+- exclude:
+     id: cpp/toctou-race-condition

.github/workflows/cibuild-setup-ubuntu.sh

@@ -7,7 +7,7 @@ PACKAGES=(
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	asciidoctor meson ninja-build
 )
 
 COMPILER="${COMPILER:?}"

.github/workflows/codeql.yml

@@ -0,0 +1,53 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'wip-luks2'
+      - 'v2.3.x'
+      - 'v2.4.x'
+    paths-ignore:
+      - 'docs/**'
+      - 'lib/crypto_backend/argon2/**'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: github.repository == 'mbroz/cryptsetup'
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
+      cancel-in-progress: true
+    permissions:
+      actions: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-extended,security-and-quality
+          config-file: .codeql-config.yml
+
+      - name: Install dependencies
+        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
+        env: { COMPILER: "gcc", COMPILER_VERSION: "11",  RUN_SSH_PLUGIN_TEST: "1" }
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.lgtm.yml

@@ -1,11 +0,0 @@
-queries:
-  - exclude: cpp/fixme-comment
-  - exclude: cpp/empty-block
-# symver attribute detection cannot be used, disable it for lgtm
-extraction:
-  cpp:
-    configure:
-      command:
-      - "./autogen.sh"
-      - "./configure --enable-external-tokens --enable-ssh-token"
-      - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h"